Each day, the number of people who are using Internet all over the world keep rising without realizing that The Internet has become everyone’s necessity nowadays. Hence, while surfing through The Internet, users wouldn’t realize that they are expose to cyber threats and attacks. While performing these activities on the Web, how many of them are concerned with essential security measures that need to be taken? As technology emerge rapidly, so does latest threat appear. One way of detecting such malicious attack involved a luring agent that acts as a dummy for these kind of attack. This dummy agent is popularly known as a Honeypot.
CyberSecurity Malaysia through MyCERT, established a Honeynet project which is a collection of distributed honeypots to study on how exploits function as well as to collect malware binaries. Honeypots are computer software mechanism set up to mimic a legitimate site to ensnare malicious software into believing that it is a legitimate site which is in a weak position for attacks. Honeypot allow researchers to detect, monitor and counterattack malicious activity by understanding activities completed during intrusion phase and attacks’ payload.
Mid 2007, a major project overhaul of Honeypot took place under Cyber Early Warning System (CEWS) project and was known as LebahNET mini. MyCERT Honeynet initiatives later were changed to LebahNET 2.0 in 2015, a Honeypot Based Distributed System for detecting and capturing attacks that evades traditional security devices. This allowed vulnerabilities emulation of Operating Systems usually used in an enterprise infrastructure to alert security administrator on source of attacks owing to LebahNET 2.0 sensors deployed by CyberSecurity Malaysia.
LebahNET 2.0 project aim to provide valuable supporting information such as network trends and malicious activities for MyCERT incident handling and advisory activities. LebahNET 2.0 also serves as a research network for analysts to experiment with germane security tools and techniques.
LebahNET Sensor consists of 3 major components for service emulations.
- Glastopf – Web Application Honeypot
Glastopf is a python web application honeypot implemented to discover attacks that are based upon vulnerability type emulation rather than vulnerability emulation. This means that Glastopf will determine and handle attacks based on type emulation to be ahead of the attackers.
- Cowrie – SSH and Telnet Honeypot
Cowrie is a medium-interaction SSH Honeypot written in Python to log brute force attacks and the entire shell interaction performed by an attacker.
- Dionaea – Samba, MySQL, MSSQL, FTP Honeypot
Dionaea features a modular architecture, embedding Python as its language in order to emulate protocols. It is able to detect shellcodes using LibEmu and supports IPv6 and TLS. Dionaea aims to trap malware-exploiting vulnerabilities exposed through network services such as SMB in order to ultimately obtain a copy of the malware.
2018 Overall Report
Throughout the year of 2018, there were about 15,985,775 totals of events received by LebahNET2.0 sensors from about 207 countries. For this year, countries like Russia, United State and China remain to be top threat origins and targeted attacks were more focused to SSH and Telnet services respectively. We observed that about 1306 Unique Malware was used to perform that attacks.
Figure 1: Threat Origins Detected from LebahNET 2.0 (January ’18 to December ’18)
Figure 1 shows percentage of threat originating from mentioned countries. Among countries with highest significant attacks were from Russia (3,332,574), United States (3,078,236), China – (1,471,013), France (947,952), Vietnam (601,718), Ireland (593,118), Brazil (548,026), Netherlands (493,914), Republic of Korea (383,667), Cambodia (341,537) and other (3,939,377).
Figure 2: Targeted Services Timeline by LebahNET 2.0 (January ’18 to December ’18)
Figure 2 shows the monthly trend of attacks at system service since January 2018 up until December 2018. For Q4 of 2018, telnetd and sshd was found unusually and aggressively targeted compared to previous quarter 1, 2 and 3.
Figure 3: Type of Attack Detected from LebahNET 2.0 (January ’18 to December ’18)
Figure 3 shows the percentage of attack type in computer system throughout the whole year. Through LebahNET 2.0, it was found that the highest type of attacks performed were bruteforce (9,380,857), sshbanner (3,390,709), upnp_request (1,883,386), shellcmd (521,034), webattack (411,730), mysqlcmd (345,823), libemu (42,500), fileupload (9,297), mqtt_connect (245), uploadattempt (180) and others (14).
Figure 4: Type of Malware Binaries from LebahNET 2.0 (January ’18 to December ’18)
Figure 4 shows monthly trend of malware binaries in system service since January 2018 until December 2018. During quarter 4 2018, malware binaries show considerable amount of Trojan variant.
Figure 5: Type of Web Attack Detected from LebahNET 2.0 (January ’18 to December ’18)
Figure 5 shows the percentage of web attack in computer system throughout the whole year. Through LebahNET 2.0, it was found that the highest type of web attack performed were phpmyadmin (284,850), unknown (111,040), head (13,255), login (1,374), tomcat_manager (689), LFI (268), robots (119), style_css (66), php_cgi_rce (45), sqli (23) and other (1).
Attacks against xmlrpc.php
Figure 6: xmlrpc.php detected from LebahNET 2.0 (January ’18 to December ’18)
Interestingly, Figure 6 shows the graph identified a total of 106 brute force attempts that target on system service in MyCERT Lebahnet’s sensors which was identified as xmlrpc.php. Xmlrpc feature introduced by WordPress to enable update remotely from other applications. Basically, the brute force attempt in computer system targets WordPress’s XML-RPC interface at /xmlrpc.php. Common applications that use xmlrpc interface like WordPress mobile application and the popular plugin JetPack are often seen correlate with the request from associate user-agent strings. Hence, it is odd to see huge amount of failed login attempts as these applications typically store credentials locally.
Identifying xmlrpc entries “POST /xmlrpc.php HTTP/1.0” in web server logs and location of logs maybe varies according to linux distribution that runs on web server. For Apache, use this command “$ sudo grep xmlrpc /var/log/apache2/access.log” and for Nginx, use “$ sudo grep xmlrpc /var/log/nginx/access.log” to search for xmlrpc attacks. Example, if xmlrpc attack is available in WordPress, it should display such results and status enable the traffic to flow through “111.222.333.444:80 555.666.777.888 – – [17/Jan/2019:23:33:50 -0500] “POST /xmlrpc.php HTTP/1.0” 200 674 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”.
Through Apache and Nginx configuration, we can block xmlprc by applying few rules. However, bear in mind by applying this method; it will stop anything that applies xmlrpc from functioning. For Apache, we may edit configuration file with “$ sudo nano /etc/apache2/sites-available/000-default.conf” and add the lines between <VirtualHost> tags.
Next, save and close file. To enable this changes, restart the server with this command “$ sudo service apache2 restart” and this method also works vice versa to Nginx accordingly. By blocking all xmlrpc traffic, the result will display the error code despite various brute force attempts that show in the logs. For instance, apache log might look like this “111.222.333.444:80 555.666.777.888 – – [19/Jan/2019:14:33:46 -0500] “POST /xmlrpc.php HTTP/1.0” 500 674 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”.
Data gathered by LebahNET 2.0 sensors assist MyCERT to identify current trends of malware attacks. LebahNET 2.0 sensors will also grant researchers and cyber security experts to forecast new emerging type of attacks. LebahNET 2.0 sensors also act as a platform to ensure threat detection capabilities locally and globally thus making CyberSecurity Malaysia being a national asset. Continuous enhancement will be made by supporting more network services to emulate and adding extra vulnerabilities to detect that will ensure enriched and pertinent data collection.
LebahNET 2.0 developed by MyCERT assist participants to identify the cyber-attacks within their network. Identification of cyber threat trends will permit MyCERT to forewarn and counsel stakeholders regarding to cyber threats issues pertaining to Malaysia in order to mitigate successful cyber-attacks.
Nur Sarah Jamaludin
Ahmad Aizuddin Aizat Tajul Arif